Google yakaburitsa kodhi kodhi yeHIBA (Host Identity Based Authorization) purojekiti, iyo inokurudzira kuzadzikiswa kweimwezve mvumo yekuronga kupinda kwevashandisi kuburikidza neSSH ine chekuita nevanotambira (kutarisa kuti kuwana kune chimwe chinhu kunobvumidzwa here kana kuti kwete kana uchisimbisa. kushandisa makiyi eruzhinji). Kubatanidzwa neOpenSSH kunopihwa nekutsanangura iyo HIBA inobata muAuthorizedPrincipalsCommand rairo mu /etc/ssh/sshd_config. Iyo kodhi yeprojekiti yakanyorwa muC uye yakagoverwa pasi peiyo BSD rezinesi.
HIBA inoshandisa yakajairwa nzira dzechokwadi dzakavakirwa pazvitupa zveOpenSSH zvekuchinjika uye nechepakati manejimendi yemvumo yemushandisi zvine chekuita nevanotambira, asi haidi shanduko nguva nenguva kune authorized_keys uye authorized_users mafaira ari padivi pevatambi uko kubatana kunoitwa. Panzvimbo pekuchengetedza runyoro rwemakiyi eruzhinji anoshanda uye mamiriro ekuwana mune mvumo_(makiyi | vashandisi) mafaera, HIBA inobatanidza ruzivo nezve mushandisi-anotambira zvinosungirwa zvakananga muzvitupa pachazvo. Kunyanya, mawedzero akakurudzirwa kune zvitupa zvekugamuchira uye zvitupa zvevashandisi, izvo zvinochengeta maparamita evatambi uye mamiriro ekupa mukana wevashandisi.
Kutarisa kudivi rekugamuchira kunotangwa nekufonera hiba-chk handler inotsanangurwa muAuthorizedPrincipalsCommand kuraira. Iyi processor inotsanangura mawedzero akabatanidzwa muzvitupa uye, zvichibva pazviri, anoita sarudzo yekupa kana kuvharira kupinda. Mitemo yekuwana inotarwa nechepakati padanho retifiketi (CA) uye inosanganiswa muzvitupa padanho rechizvarwa chavo.
Kudivi renzvimbo yezvitupa, runyoro rwakakwana rwemasimba aripo anochengetedzwa (mahosi anotenderwa kubatana) uye runyorwa rwevashandisi vanobvumidzwa kushandisa masimba aya. Kugadzira zvitupa zvakasimbiswa zvine ruzivo rwakabatanidzwa nezvezvitupa, hiba-gen utility inokurudzirwa, uye kushanda kunodiwa kugadzira chiremera chechitupa kunosanganisirwa mune iba-ca.sh script.
Kana mushandisi abatana, chiremera chakatsanangurwa muchitupa chinosimbiswa nedhijitari siginicha yechiremera chechitupa, iyo inobvumira kuti cheki dzese dziitwe zvizere padivi reanoitirwa chinongedzo uko chinongedzo chinoitwa, pasina kushandisa ekunze masevhisi. Rondedzero yemakiyi eruzhinji ezvitupa zvinopa zvitupa zveSSH inotsanangurwa kuburikidza neTrustedUserCAKeys kuraira.
Pamusoro pekubatanidza zvakananga vashandisi kune vanotambira, HIBA inobvumidza iwe kutsanangura yakawanda inoshanduka yekuwana mitemo. Semuenzaniso, ruzivo rwakadai senzvimbo uye rudzi rwesevhisi runogona kubatanidzwa nevanotambira, uye kana uchitsanangura mitemo yekuwana mushandisi, kubatana kunogona kubvumidzwa kune vese vanogamuchira neakapihwa sevhisi mhando kana kune vanogamuchira munzvimbo yakatarwa.
Source: opennet.ru